IT4K12 – Privacy in the Digital Space
Ministry of Education
Office of Chief Information Officer
Matt says he wants to see everyone do cool things, but be responsible about it. Easier to say “How can we help you do that” instead of just saying “No”.
OCIO responsible for FOIPPA, Personal Information Protection Act (PIPA), Information Management Act (IMA), and Electronic Transactions Act (ETA). They come and do training wherever, and attempt to be as helpful as possible.
Also the OIPC, Information and Privacy Commissioner, Elizabeth Denham is the BC Information and Privacy Commissioner works separately, and oversees investigations, mediations, reviews.
FOIPPA specifically applies to “public bodies” in BC.
Show Your Work – Matt reminded us that it is important to show that we are doing the work, document our processes and what we’re doing so that when we are asked, we’ll have detail and data to demonstrate.
Privacy Impact Assessment
- If used as part of normal business processes, the PIA can ensure that privacy requirements are identified and satisfied in a timely and cost efficient manner.
- PIA process is also designed as an educational tool – participating in privacy impact assessments promotes privacy awareness
- The PIA can make the difference between a privacy invasive and a privacy enhancing initiative, without compromising business objectives or adding significant costs.
- Ministry has a number of resources here.
Collection of Personal Information
- Collection of personal information must be limited to that which is necessary and relevant
- Collection must be direct (unless excepted under FOIPPA)
- Collection notification must be given (unless excepted under FOIPPA)
- Social Media is interesting, because lots of information is put out there, but it’s not supposed to be used for collecting information
Here is an example from @BCEDPLAN: Notice the collection notice link:
Disclosure, Storage and Access
- Personal information must not be disclosed inside/outside of Canada, unless an exception in FOIPPA applies
- Storage and access must be inside Canada, unless an exception in FOIPPA applies (note, B.C. is one of only two jurisdictions in Canada with this requirement)
- Reasonable security must be in place to protect from unauthorized access
- A public body must make reasonable security arrangements to protect personal information (s. 30)
- Should be appropriate and proportional to the sensitivity of the personal information e.g. suspension information vs. lunch order
- Safeguards should include:
- Physical measures (e.g. locked file cabinets, restricted access to offices)
- Technological measures (e.g. user IDs, passwords, encryption)
- Have policies and procedures for keeping files secured
Of interest, perhaps Tokenization may be something that may help store / secure offsite.
De-identification may be a way to remove information, so that’s what is left does not have personally identifiable substance. (Could be manual tokenization;) Could provide a unique identifier to a student so that they know the data is theirs, but no one else does. For example storing a report card without a name, but with a unique code that the student knows)
If we can’t do these things, consent makes the allowance – that is, if you have consent to store information outside of the country, then there are ways to make it happen.
- Does it cover all of the personal information?
- Is it specific enough / clear enough?
- Does it contain all of the required elements?
- Is it signed / agreed to by the correct person?
Suggest that Middle / High School students sign for consent, and parents are essentially only witnesses, which is different than how we normally see consent in schools.
Privacy by Design – www.privacybydesign.ca has some great content that although not B.C. will get you 90% of the way towards getting privacy done right.
BC Privacy and Access Helpline: 250-356-1851
(Enquiry BC 1 800 663-7867)